Event Logs Computer Forensics

A computer forensics examiner can gain critical information from the Windows Event Viewer. This tool allows users to view and manage the logs of various events on a Windows system. Computer forensics can extract data from security logs, system logs, application logs, PowerShell logs, remote login logs, and many more. The Event Viewer launches by opening the Control Panel and selecting the "Administrative Tools" option. Users can choose the "Event Viewer" option to open the tool. These logs can provide valuable information for forensic investigations, such as:

1. Identifying potential security breaches: The security event logs can show instances of failed login attempts, unauthorized access attempts, and other potential security threats.
2. Tracing activity on the computer: The system and application event logs can show programs and processes' activity and when they are completed, providing a timeline of activities on the computer.
3. Detecting malware: Malware can often leave a trace in the event logs, such as creating new processes or modifying system files. Examining the event logs can help identify the presence of malware on the system.
4. Troubleshooting problems: The event logs can help identify problems with the computer, such as hardware or software issues, and help determine the cause of the problem.

The Event Viewer has three main sections: the "Application" log, the "Security" log, and the "System" log. Each of these logs contains different events that have occurred on the system.

The "Application" log contains events related to applications and services installed on the system. It includes events related to errors, warnings, and other important information about the functioning of these applications.

The "Security" log contains events related to security on the system, such as user login and logout events and events related to security threats and breaches.

The "System" log contains events related to the overall performance and functioning of the system, such as events related to system startup and shutdown, as well as events related to hardware and software issues.

Users can view the events in the Event Viewer by selecting a log and then viewing the events in the central pane of the tool. A description and other relevant details, such as the time and date of the event and the source of the event, accompany each event.

Windows "Remote Desktop" logs record information about Remote Desktop connections to a computer. When you use Remote Desktop to connect to a computer, the Remote Desktop client on your local computer sends a request to the Remote Desktop service on the remote computer. If the connection is successful, the Remote Desktop service establishes a connection and allows you to access the remote computer. The Remote Desktop logs contain information about the connection, such as the date and time of the connection, when a user's account establishes a network connection and the status of the connection. These logs can be helpful in troubleshooting problems with Remote Desktop connections, as well as for tracking and monitoring Remote Desktop usage. It is a critical part of a forensic examination in many cases.

The PowerShell windows event logs show various events related to the execution of PowerShell scripts and commands, including the start and end times of PowerShell scripts, the user who initiated the script or command, the success or failure of the script or command, and any errors or warnings that occurred during execution. It may also include information about the parameters or arguments used in the script or command and any changes made to the system or environment resulting from the script or command.

The computer forensics professional must extract these files from the forensic image and open them with the event viewer on the computer forensics examiner's computer. These files have the file extension of *.evt and *.evtx.

Overall, the Windows Event Viewer is a helpful tool for viewing and managing the logs of various events on a Windows system. It provides critical information such as computer logins and their actions.